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HEARING TO REVIEW U.S. DEPARTMENT OF 
AGRICULTURE’S RELEASE OF PROGRAM 
BENEFICIARIES’ SOCIAL SECURITY NUMBERS 
AND THE DEPARTMENT’S INFORMATION 
SYSTEMS, GENERALLY 


WEDNESDAY, MAY 2, 2007 

House of Representatives, 

Committee on Agriculture, 

Washington, D.C. 

The Committee met, pursuant to call, at 1:05 p.m., in Room 1300 
of the Longworth House Office Building, Hon. Collin C. Peterson 
[Chairman of the Committee] presiding. 

Members present: Representatives Peterson, Holden, Etheridge, 
Boswell, Baca, Herseth Sandlin, Salazar, Ellsworth, Boyda, Space, 
Walz, Pomeroy, Barrow, Donnelly, Goodlatte, Foxx, Moran, Graves, 
Neugebauer, Conaway, Schmidt, Smith, and Walberg. 

Staff present: Tyler Jameson, Rob Larew, John Riley, Sharon 
Rusnak, Lisa Shelton, April Slayton, Debbie Smith, Kristin 
Sosanie, Bryan Dierlam, Alise Kowalski, Bill O’Conner, and Jamie 
Weyer. 

OPENING STATEMENT OF HON. COLLIN C. PETERSON, A 
REPRESENTATIVE IN CONGRESS FROM MINNESOTA 

The Chairman. The Committee will come to order. I want to 
start today by welcoming everyone to this hearing of the House Ag- 
riculture Committee. I want to especially welcome Charles 
Christopherson, the USDA’s Chief Financial Officer, who will pro- 
vide testimony and answer the Committee’s questions today. I 
would also like to recognize Boyd Rutherford, USDA’s Assistant 
Secretary for Administration, and Dave Combs, USDA’S Chief In- 
formation Officer, who are accompanying Mr. Christopherson. 

Information security and accessibility are two very serious issues 
that must be top priorities for USDA. Farmers, ranchers, small 
businesses and many others entrust USDA agencies and programs 
with a great deal of private personal information on a regular 
basis. The USDA must take their responsibility to protect this in- 
formation very seriously. The recent announcement that Social Se- 
curity or tax information numbers of more than 38,000 people were 
made public on the Internet has called into question the security 
of private information that USDA has in its possession. I want to 
commend and very much appreciate Congressman Zach Space, one 
of our newest Members of the Agriculture Committee, for recog- 
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nizing the serious implications of this situation and requesting a 
hearing today on this issue. I hope that we will hear a more com- 
plete explanation of how this could happen, what is being done to 
assist the people whose personal information was compromised, 
and I also look forward to hearing what is being done to be sure 
no additional personal information is exposed in this manner. 

In addition to this information security breach, accessibility to 
computer-based systems has been a recurring problem at USDA. 
Computer failures at the Farm Service Agency have prevented 
farmers from signing up for programs online and in FSA offices. As 
a result of the poor performance of FSA computer systems earlier 
this year, the USDA had to extend the deadline for farmers to sign 
up for the Direct Encounter Cyclical Payment Programs. Congress- 
man Moran requested a hearing to review the system failures and 
delays that farmers and ranchers have faced because of the FSA 
computer problems and I also appreciate his attention to this seri- 
ous issue. 

Data security and reliable computer systems are priorities that 
USDA must recognize and provide to the many individuals and or- 
ganizations that do business with the agency every year. Farmers 
and ranchers must be able to trust that USDA will protect their 
information and provide consistent access to computer-based appli- 
cations. Without that trust, USDA cannot accomplish its mission 
and farmers and ranchers cannot take full advantage of the pro- 
grams available to them. I am concerned that the Administration’s 
budget request for necessary computer maintenance and improve- 
ments at USDA does not reflect the serious needs that have been 
exposed by these recent computer problems. We are seeing the re- 
sults of a broken system that should have been fixed long before 
these problems emerged. 

The purpose of this hearing is, however, not to lay blame; al- 
though there is certainly plenty of blame to go around with lack 
of Congressional oversight, the agency’s ability to recognize these 
problems before they reached this crisis level, and the Administra- 
tion’s failure to request and provide resources needed to prevent 
these problems from happening in the first place. So I am particu- 
larly interested to hear from our witnesses what resources USDA 
needs to assure farmers and ranchers that they can expect secure 
and reliable access to farm programs. I look forward to the testi- 
mony that we will hear today and look forward to working with the 
Administration to address these serious problems. 

Without objection, all Members that wish to make a statement 
will be made part of the record with the exception of the Ranking 
Member, who today is Ms. Foxx from North Carolina. We appre- 
ciate you being here today and if you want to say a couple brief 
words? 

[The prepared statement of Mr. Walz follows:] 
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Statement for the record for Congressman Walz 

Full Committee on Agriculture — hearing to review U.S. Department of 
Agriculture’s release of program beneficiaries’ Social Security numbers and of the 
Department’s information systems, generally 

May 2, 2007 


Mr. Chairman and Ranking Member Goodlatte, thank you for holding this hearing today. 

Two weeks ago, an individual who had received a USDA loan was looking around on the 
Internet and discovered something disturbing; her Social Security number — and the 
numbers of thousands of others — were available on a publicly-searchable database on- 
line. 

USDA now estimates that more than 38,000 individuals may have had their personal 
information compromised. 

This is unacceptable. Our government agencies ought to be doing everything in their 
power to make it harder for identity theft to occur; instead, in this case, it facilitated it. 

We are here today to hear testimony from USDA about how this happened, how USDA 
responded, and how the Agency is going to ensure that this never, ever happens again. 

I thank the Chairman and the Ranking Member for holding this hearing today. 
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OPENING STATEMENT OF HON. VIRGINIA FOXX, A 

REPRESENTATIVE IN CONGRESS FROM NORTH CAROLINA 

Ms. Foxx. Just briefly, Mr. Chairman. I want to say that I know 
that I and my colleagues share the same concerns that you have 
expressed, and what I hope we will discover is how problems like 
these occur but more importantly, how can we establish systems to 
prevent the problems from occurring again. As you say, there is 
probably plenty of blame to go around; that doesn’t accomplish 
much. What we need to do is figure out a way to make the system 
better and to hold the proper people accountable, and I thank you 
for your focus on that. 

The Chairman. I thank the gentlelady, and I appreciate her 
presence here and the other Members. 

Mr. Christopherson, we appreciate you being with the Committee 
and your full statement will be made part of the record. We operate 
here under the 5 minute rule so if you could hit the high points 
and stick within that and then I think we probably have quite a 
few questions, so thank you very much. 

STATEMENT OF HON. CHARLES R. CHRISTOPHERSON, Jr., 

CHIEF FINANCIAL OFFICER, U.S. DEPARTMENT OF 

AGRICULTURE, WASHINGTON, D.C.; ACCOMPANIED BY DAVE 

COMBS, CHIEF INFORMATION OFFICER; AND HON. BOYD K. 

RUTHERFORD, ASSISTANT SECRETARY FOR 

ADMINISTRATION, U.S. DEPARTMENT OF AGRICULTURE 

Mr. Christopherson. Thank you, Mr. Chairman. 

Mr. Chairman, Ranking Member and the Members of the Com- 
mittee, I thank you for this invitation to appear before you today 
to update the Committee on the current events related to the infor- 
mation technology at the U.S. Department of Agriculture. I am 
joined today by Dave Combs, the Department’s Chief Information 
and Chief Privacy Officer, and Boyd Rutherford, our Assistant Sec- 
retary of Administration. 

We appreciate the opportunity to discuss the recent discovery of 
approximately 38,700 Social Security Numbers that have been in- 
advertently made public through a government- wide website. Our 
policy states USDA will protect personal, financial and employment 
information from unauthorized disclosure. Customers and employ- 
ees should also have the right to expect that USDA will collect, 
maintain, use and disseminate identifiable personal information 
and data only as authorized by law and as necessary to carry out 
our agency’s responsibilities. At the outset, let me state that we 
take full responsibility for this incident. We offer no excuses and 
we deeply regret the exposure of the sensitive information and the 
concern that it has caused our citizens that we serve. 

By way of background, the USDA is compromised of approxi- 
mately 100,000 employees and 29 component agencies, with staff 
offices located at some 7,200 offices around the world. Of our more 
than 250 IT systems, many date back to the early days of com- 
puting before the Internet and before the identify theft challenges 
of the modern information age. As a result, personal information 
such as Social Security Numbers were used as customer identifiers 
and thus were key to accessing records in many of these older sys- 
tems. These older ways of doing business are no longer acceptable 
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and we are confronting the significant challenge of removing sen- 
sitive data whenever possible. 

Let me assure you that we did not wake up to this challenge just 
last week. Addressing these issues has been a long, ongoing effort. 
In Fiscal Year 2006 alone, we continued our Federal Information 
Security Management Act implementation, inventoried our Privacy 
Act data, scrubbed systems for unnecessary uses of personal identi- 
fying information, began encrypting mobile computers, strength- 
ening remote access controls, required Privacy Act training 
throughout the Department and established incident response pro- 
tocols. 

Regarding the recent incident that brings us here today, on Fri- 
day, April 13, USDA learned that a grantee found her company’s 
identifying information posted on a public website. The identifying 
number was embedded with other numbers in a larger data field 
known as a Federal Award Identifier Number, or FAIN, in a sys- 
tem known as the Federal Assistance Award Data Systems, or 
FAADS. Officials in my office immediately recognized the potential 
sensitivities of this information and that same day the identifying 
numbers associated with the funding were removed. 

Unable to conclude that this was an isolated instance, we contin- 
ued our analysis of the information and here is what we found. 
Many years ago, the predecessor agencies to the Farm Service 
Agency and Rural Development established identifier numbers for 
borrowers or grantee applicants; but for some, not all, programs 
they adopted as a unique file identifier a number that included the 
Social Security Number for an individual recipient or the IRS- 
issued EIN for business recipient. When the predecessor agencies 
began providing USDA grant and loan data to FAADS as required 
in 1982, they simply used the agency-created code as a Federal 
Award identifier number. 

Pursuant to the direction from the Office of the Chief Informa- 
tion Officer last year, USDA agencies searched for the presence of 
Social Security Numbers in their systems but the FAINs eluded the 
attention because the sensitive information was not readily appar- 
ent when viewing the aggregated data. After extensive evaluation 
of approximately three million records spanning a period of 26 
years, we were able to determine that the public website in ques- 
tion contained sensitive information relating to approximately 
35,000 individuals from FSA programs and 3,700 from Rural De- 
velopment programs. 

Our immediate first steps were to confine and fix the problem 
while at the same time making sure that we did not take any ac- 
tions that would make the problem worse. To date, there is no evi- 
dence that this information has been misused. Nonetheless, we are 
offering 12 months of services to help affected persons monitor and 
protect their credit. USDA funding recipients whose personal infor- 
mation was exposed have been notified by mail and are being pro- 
vided with instructions for setting up the credit monitoring. 

As a result of this recent incident, we have initiated additional 
actions consistent with the recommendations included in the re- 
cently released strategic plan to the President on identity theft. 
The written testimony provides additional details but in brief sum- 
mary, these actions include re-inventorying all of our data collec- 
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tions, expanding reviews to include external entities, updating our 
Privacy Act and awareness efforts, and integrating information pro- 
tected in our annual internal controls assessment. 

While this incident focuses our attention on protecting sensitive 
data, USDA is also redoubling its efforts in the area of overall IT 
security. To emphasize how seriously that we have taken our role 
as data stewards, we are focused on improving our logical and 
physical access controls, our software change controls and our dis- 
aster recovery capabilities. 

In closing, I again want to state that we regret the incident that 
has occurred. We are committed to taking care of the individuals 
who are affected and we will fix the problems which led to this 
issue. 

Mr. Chairman, we would be pleased to take any questions from 
the Committee. 

[The prepared statement of Mr. Christopherson follows:] 
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Written Statement of the Honorable Charles R. Christopherson, Jr. 

Chief Financial Officer 
U.S, Department of Agriculture 

Before the 

Agriculture Committee 
The U.S. House of Representatives 
May 2, 2007 

Mr. Chairman, Ranking Member Goodlatte, and members of the Committee, thank you 
for your invitation to appear before you today to update the Committee on current events 
related to information technology at the United States Department of Agriculture 
(USDA). 

I am Charles Christopherson, Chief Financial Officer at USDA. My role with respect to 
information technology is to ensure that the financial systems throughout the Department 
work together and protect the security of financial information. I am joined today by 
Dave Combs, the Department’s Chief Information Officer (CIO) and Senior Agency 
Official for Privacy; and Bfryd Rutherford, our Assistant Secretary for Administration. 

We are here today primarily because of the recent discovery that approximately 38,700 
Social Security Numbers (SSNs) had been inadvertently made public through a 
goveminetit-wide system known as the Federal Assistance Awards Data System - 
(FAADS). This information was also reposted by other commercial or non-profit 
websites. At the outset, let me state that we take full responsibility for this incident and 
offer no excuses. We regret the exposure of this sensitive information (by sensitive 
information we mean personally identifiable information about individuals) and the 
concern it has caused the citizens we serve. 
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In my testimony today, I would like to achieve four principal goals. First, to provide the 
context for this incident, I would like to provide some basic information about USDA’s 
information technology portfolio and our ongoing efforts to protect sensitive information. 
Second, I will brief the Committee on the facts of the incident. Third, 1 will describe for 
the Committee exactly how we are taking responsibility and implementing corrective 
action, in light of this incident. Finally, I will take a few moments to update the 
committee on our ongoing efforts to further bolster our overall information security. 

Background on Protection of Sensitive Information 

USDA is comprised of Departmental headquarters, 17 component agencies, and 12 staff 
offices. We have approximately 100,000 employees located in some 7,200 offices 
throughout the world. Each of the 17 agencies has a Chief Information Officer who 
oversees IT systems and processes; many of which have evolved over many years. Many 
of our systems date back to the early days of computing, before the internet, and before 
the identity theft challenges tf the modem information age. As a result, more than 250 
IT systems were developed over the course of several decades. Personal information, 
such as SSNs, were used as customer identifiers, and thus were key to accessing records 
in many of these older, legacy systems. 

In this new era, where individuals must guard themselves against the risks of identity 
theft, these old ways of doing business are no longer acceptable. Unfortunately, our 
complex tapestry of systems caimot be unwound by pulling on a single thread. Rather, it 
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requires a sustained and coordinated effort that simply takes more time than we would 
like, as well as substantial resources. 

Let me assure you, that we did not just wake up to this challenge last week. Addressing 
these issues has been an ongoing effort. For the past several years, we have been 
working on implementation of the Federal Information Security Management Act 
(FISMA). FISMA is a law which provides a framework to protect all Federal 
information - including sensitive and personally identifiable information. In USDA’s 
most recent quarterly Federal Information Security Management Act (FISMA) report, a 
total of 56 systems were identified as containing sensitive information. These 
information systems are secured based on the type of information which they contain. 
When a system is found to be maintaining or transmitting personally identifiable 
information - we protect it using a set of security controls developed specifically for high 
and/or moderate impact information systems, fit Fiscal Year (FY) 2006, we took several 
important steps. Let me provide a few examples. On June 22, 2006, OCIO issued a 
memo entitled “Management of Privacy Act Data” to all USDA agencies requiring a 
complete inventory of all systems that store or process data protected under the Privacy 
Act, and directing a review of all operations to determine compliance with Department 
policy. While this memo did not explicitly address the use of embedded SSNs, it did set 
into motion a process to identify and thoroughly scrub all improper and uimecessary uses 
of personally identifying information. This was followed by a July 13, 2006, directive to 
implement the recommendations of OMB Memorandum 06-16, including actions to 
encrypt all mobile computers and to install two-factor authentication for remote access to 
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USDA systems. In addition, all USDA employees and contractors were required to 
complete a “USDA Privacy Basics” course between July 1 8, 2006, and September 1 5, 
2006. 

In response to a recommendation from the President’s Taskforce on Identity Theft, Mr. 
Rutherford and I sent a memorandum to the users of the financial and human capital 
systems explaining the breadth of their responsibilities concerning information protected 
under the Privacy Act. The memorandum states; “To be clear, safeguarding people’s 
sensitive information is not an option, it is a responsibility engrained into every financial 
and human resources position.” Since August 2006, USDA organizations including the 
Office of the Chief Financial Officer have held additional privacy information training 
sessions and worked to remove social security information from reports. 

On October 5, 2006, we amended Standard Operating Procedure (SOP) to assist the 
United States Department of Agriculture (USDA), Computer Incident Response Team 
(CIRT) in processing reports of computer security events. This SOP is designed to assist 
the security analyst in determining which events should be elevated to incidents, and 
which events should be escalated to United States Computer Emergency Readiness 
Team. The document also outlines procedures for dealing with different types of events 
and incidents, the requirements for escalating incidents to senior officials, and for 
facilitating CIRT interactions with other organizations, both internal and external to the 
Department. 
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On April 6, 2007, the Department added to the Senior Executive Service (SES) 
Performance Standard the requirement that “ensures 100 percent of the workforce 
(Federal and contractors) have successfully completed the Computer Security Awareness 
and Privacy Refresher training. All new employees/contractors with access to 
Information Technology (IT) systems receive a security briefing prior to access being 
granted.” Each of our SES leaders provides an important management role in protecting 
privacy information. 

Prior to the recent incident, the three of us (the Chief Financial Officer, the Chief 
Information Officer, and the Assistant Secretary for Administration) had already 
commenced working on eliminating uiuiecessary usage of SSNs as an identifier at 
USDA. To date, this project has eliminated unnecessary usage for approximately 29,500 
individuals. We also initiated a requirement that each employee and contractor with 
access to information technology systems or personal privacy information take Privacy 
Act training. The continuing training program is used to reinforce the fact that every 
person is responsible for protecting sensitive information. 

On October 26, 2006, under the guidance of the Office of Management and Budget 
(OMBj, OSDA established its Identity Core Response Group led by the Chief - 
Information Officer, and consisting of the Chief of Staff, General Counsel, Assistant 
Secretary for Administration, Assistant Secretary for Congressional Relations, the 
Director of the Office of Commxmications, the Inspector General, and other members as 
needed on an incident basis. The idea motivating the creation of this group was that, 
notwithstanding best efforts to mitigate the risks of disclosure of sensitive information. 
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we needed to be prepared for any unforeseen incidents that might arise. Having this 
structure in place was essential in allowing us to respond as swiftly as we did to the 
incident that brings us here today. 


The Recent Incident: 

On Friday, April 1 3, 2007, USDA learned that a grantee was surfing the internet and 
noticed that her company’s identifying information was posted on the website 
fedspending.org (a data base created and maintained by the 0MB Watch organization 
which draws grant and contract information from two federal data bases; the Federal 
Assistance Award Data System and the Federal Procurement Data System). The number 
was not identified as a SSN or Employer Identification Number (EIN), but was instead 
embedded as nine numbers within a larger data field in a database known as the Federal 
Assistance Award Data System (FAADS). 

FAADS was established pursuant to the Consolidated Federal Funds Report Act of 1982. 
That Act and successor laws require Federal agencies to report domestic Federal financial 
assistance award information with particular data elethents and to make that information 
available to Congress, States, and the public. See 3 1 U.S.C. § 6101 e/ seq. The United 
States Bureau of the Census (Census) serves as the executive agent for the FAADS. One 
of the required data elements for reporting to FAADS is the Federal Award Identifier 
Number (FAIN). Originally, Census released Federal assistance award information 
reported to the FAADS in the form of a CD-ROM. In 1996, Census began making the 
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data available through an internet website as well as through continued CD-ROM 
distribution. 

Officials in the Office of the Chief Financial Officer immediately recognized the 
potential sensitivities of what had been learned on Friday, April 13 and that same day had 
the identification numbers associated with the USDA funding removed from the Federal 
FAADS website so that they could further investigate the situation. In addition, at the 
request of the Office of Management and Budget (0MB), OMB Watch removed all 
FAIN numbers for all entities on its FedSpending.org website. The Office of the Chief 
Information Officer obtained a list of entities that received the CDs from Census, and has 
been actively contacting these entities to request destruction of the CDs. Here is what 
they learned by the first of last week: 

Many years ago the predecessor agencies to the Farm Service Agency (FSA) and Rural 
Development (RD) established identification numbers for borrower or grantee applicants 
and loan files. For some, but not all programs, they adopted as the unique file identifier a 
number that consisted of a combination of the SSN of the recipient or borrower and other 
agency assigned values. In some cases, it is possible that individual borrowers or 
recipients functioning in an entrepreneurial capacity used a SSN instead of an Internal 
Revenue Service (IRS) issued BIN. Federal law has long required that Federal agencies 
collect the SSN or BIN of entities and individuals receiving financial awards from the 
Federal government to report income to the IRS or perform debt collection activities. 
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When the predecessor agencies to the Farm Service Agency (FSA) and Rural 
Development (RD) began providing USDA grant and loan award data to FAADS as 
required in 1982, they simply used the Agency created code as the Federal Award 
Identification Number (FAIN) for FAADS. Pursuant to the direction from OCIO last 
summer, USDA agencies searched for the presence of SSNs in their systems, but the 
FAINs eluded attention because the sensitive information was not readily apparent when 
viewing the aggregated data. 

During the week of April 16th the week immediately following the discovery on Friday, 
April 13, USDA first analyzed the potential breadth of the problem. After evaluation of 
approximately 3 million detailed original award and award modification records spanning 
a period of 26 years, it was determined that the information provided by the Farm Service 
Agency (FSA) and Rural Development (RD) to the public website in question contained 
sensitive information relating to approximately 38,700 persons. 

Approximately 35,000 of the individuals participated in one of the following FSA 
programs: 

• ^ Seed Loans; 

• Emergency Loans; 

• Farm Ownership Loans; 

• Apple Loans; and 

• Soil and Wafer Loans and Horse Breeder Loans. 
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Approximately 3,700 of the affected individuals participated in one of the following RD 
programs: 

• Business and Industry Loans; 

• Community Facilities Loans and Grants; 

• Single Family Housing Guaranteed Loans Natural Disaster; 

• Rural Rental Assistance Payments; 

• Rural Rental Housing Loans; 

• Rural Rental Housing Guaranteed Loans; 

• Farm Labor Housing Loans and Grants; and 

• Renewable Energy Systems and Energy Efficiency Improvements Program. 

Our team was very deliberate in designing reconciliation between FAADS and our 
internal USDA files to make sure we considered all recipients, whose records were sent 
to the system, going back to the inception of the system in 1 98 1 . 

The initial universe of potential transactions summarized by Recipient Name, Recipient 
Type, Federal Award Identification Number, State, Catalog of Federal Domestic 
Assistance Number, and other fields (including each award and subsequent modification 
for non aggregated transactions) exceeded 700,000 records. Using a combination of the 
Recipient Type and Recipient Name fields, the USDA team was able to eliminate all 
transactions that were not made to small businesses or individuals and that contained nine 
or more numeric digits. This narrowed the potential universe to approximately 189,000 
recipients. 
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USDA’s agencies then matched the record sets against their program systems and 
eliminated an additional number of records as not containing SSNs. Through this 
methodology, we determined that approximately 38,700 unique SSNs were posted 
publicly. The design and execution of this methodology took approximately 9 days to 
complete. Upon completion USDA began mailing letters to the affected individuals on 
April 23, 2007. We expect all expect that all affected individuals received notification by 
May 1,2007. 


USDA’s Response 

USDA’s response to this incident is twofold. First, we took immediate steps to protect 
the individuals whose sensitive information has been exposed. Second, we are stepping 
up our system wide efforts to protect sensitive data and to further reduce the possibility of 
a similar incident. 

Our immediate first steps were to confine and fix the problem, while at the same time 
making sure not to take any actions that would make the problem worse. To date, there is 
no evidence that this information has been misused. USDA is offering 12 months of 
credit monitoring services to help affected persons monitor their personal accounts. This 
includes: 

• Availability of live customer service agents 24 hours, 7 days a week; 

• Subscription for credit monitoring by phone, U.S. Mail, fax, or internet; 

• Daily alerts and unlimited reports via internet, or quarterly reports by U.S. Mail; 

• Assistance if individuals identity is stolen or misused; 
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• $20,000 insurance policy for identity theft (Except for the State of New York, 
where companies are currently unwilling to underwrite identity theft insurance 
coverage until New York State Legislators pass a bill affirming the legality of 
identity theft insurance coverage.) 

USD A fimding recipients whose sensitive information was exposed are being notified via 
mail and are being provided with instructions on how to register for credit monitoring. In 
addition, we established a toll free line for recipients with questions to call. They can 
also visit USA.gov, which has a question and answer page on this incident. 

As a result of the recent incident, we have initiated the following additional actions 
consistent with the recommendations included in the recently submitted report to the 
President by the Identity Theft Task Force, titled “Combating Identity Theft: A Strategic 
Plan”; 

1) We have directed all agencies to re-inventory all the data they collect, either 
electronically or via paper, to ensure that we have full knowledge at the agency and 
Department-level of any documents, files, or databases that contain sensitive information; 

2) We have directed that all USDA agencies identify to us all Federal and non-Federal 
entitles to which they provide data, the source of that data, whether any sensitive 
information is included, and the justification for its inclusion. The provision of data to 
external entities was not assessed in our 2006 inventory data gathering effort; 

3) We are undertaking a review of our current Privacy Act training program and will 
assess its adequacy in communicating the stewardship role USDA has over personal 
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infomation, whether or not the data is covered by the Privacy Act, and make the changes 
required; 

4) We have added the safeguarding of sensitive information as control items to be 
routinely evaluated as part of our Departmental level annual internal control assessment. 
These controls have historically been assessed at the agency level. Our implementation 
of a standard Departmental approach to assessing controls over financial reporting has 
shown that a Departmental adoption of a standard methodology for documenting 
controls, defining test criteria, and evaluating test results moves us to a scientific 
measurement of effectiveness thus improving our ability to rely upon these controls. 

We believe these actions will get to the root cause of this recent data incident and prevent 
further occurrences. We will do what is needed to track the results of these efforts and 
provide the leadership needed to ensure that we provide appropriate protections for 
sensitive data. 

While this incident focuses our attention on protecting sensitive data, USDA is also 
redoubling its efforts in the area of overall IT Security to emphasize how seriously we 
take our role as data stewards. 

Overall IT Security Initiatives 

Of course protection of individuals’ sensitive information is just one component of an 
agency’s overall IT security program. USDA has had an ongoing challenge related to IT 
Security. Aimually we review and identify material weaknesses in our internal controls 
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over information technology. A material weakness is a condition in which internal 
controls do not reduce the risk that significant errors or fi-aud may occur or not be 
detected in a timely manner. These weaknesses which were detailed in our Performance 
and Accountability Report, previously sent to the Congress, include: 

1 ) Access controls, logical - Insufficient controls over access to systems and 
databases, e.g., weak password parameters; 

2) Access controls, physical - Insufficient controls over physical access to locations 
where systems are housed, e.g., mission critical systems operated outside of 
controlled data centers; 

3) Software Change Controls - Insufficient controls over changes made to software, 
e.g., changes made to software without testing; 

4) Disaster Recovery - Lack of timely recovery capabilities for mission critical 
systems. 

These material weaknesses were previously identified, and although progress has been 
made, they remain on the list. To bring additional senior oversight to the resolution of 
the information technology problems, we assigned the Deputy Chief Financial Officer 
and the Deputy Chief Information Officer to coordinate and oversee all USDA agencies 
efforts to remedy these IT weaknesses. In areas where full remediation of a weakness 
will take an extended period of time, e.g., when only a full system replacement will 
completely fix the underlying weakness, they are ensuring that the USDA agencies 
implement immediate short-term solutions to ensure that om IT resources and data cannot 
be compromised. 
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In closing, I want to again state we regret tfie incident occurred and are committed to 
taking care of the individuals affected and to fix the problems which led to this issue. We 
would be pleased to report back to the Committee on our progress and IT issues. We 
know it is important and the responsibility of everyone to protect the information of 
individuals with whom the Department does business. 


Mr. Chairman, we would be pleased to respond to any questions from the Committee, 


14 



21 


The Chairman. I thank the gentleman, and the other two gentle- 
men are just here for backup? 

Mr. Christopherson. Yes, sir. 

The Chairman. All right. We thank you very much for that testi- 
mony, and I think we have a number of Members that have some 
questions, but I am going to give my time to Mr. Space to start the 
questioning because he is the one that was on top of this before 
anybody else, so we appreciate, Mr. Space, your diligence and hard 
work, and I will yield to you for 5 minutes or maybe give you a 
little bit of leeway. 

Mr. Space. Thank you, Mr. Chairman, for deferring your time to 
me as well as for agreeing to this hearing, and I would like to 
thank you, Mr. Christopherson, for testifying today. 

All of the Members of this Committee remember the situation 
that occurred with the Department of Veterans Affairs, and while 
that situation was disturbing, this security breach is in some ways 
worse. The Department put this personal information online 
through an overt act which is very difficult, it not impossible, to re- 
trieve. These information security problems are nothing new at the 
USDA, unfortunately. The 0MB, National Institute of Standards 
and Technology, and the USDA’s Inspector General have all docu- 
mented in numerous reports the history of poor performance when 
it comes to information security. The agency lost, I understand, 95 
computers with access to personal information, according to the 
USDA’s IG report a few months ago. The reason this latest security 
breach is so troubling is that farmers and ranchers live and die by 
their credit. If the agency put one of them at risk for identity theft, 
that would be potentially devastating to their businesses. I believe 
many farmers and ranchers already distrust the government, 
frankly, and this fiasco will prevent the USDA from accomplishing 
its mission to assist these producers. 

Mr. Christopherson, in your written testimony that had been de- 
livered to the Committee prior to this hearing, you indicate at page 
five that before the revelations that occurred on April 13 of this 
year, the USDA had already commenced working on eliminating 
unnecessary usage of Social Security Numbers as identifiers. The 
project of eliminating SSNs as identifiers had resulted in identi- 
fying over 29,000 people who had previously been identified with 
their Social Security Numbers, and the question I have for you is, 
when was that project started to start to eliminate Social Security 
Numbers as identifiers? 

Mr. Christopherson. What I will do is, I will actually defer part 
of this question to our Chief Information Officer that actually led 
that initiative. We have actively for this last year moved through 
a process to identify the areas of USDA and the systems that have 
this information in it. We are 

Mr. Space. My question is, when was that project begun? When 
was it? I would like a date within a month or two when the project 
to eliminate Social Security Numbers as identifiers was begun by 
the USDA. 

Mr. Christopherson. Okay. I know this was within the June 
time frame, and 

Mr. Space. I would like to know when it was begun. Your testi- 
mony indicates that prior to this event occurring, the USDA, you 
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as well as the other gentlemen with you today had already com- 
menced working on eliminating unnecessary usage of SSNs as an 
identifier at USDA. Simple question: When was that project start- 
ed? 

Mr. Combs. I found my information, sir. It was June of last year 
that we began this process following the tremendous publicity, as 
you are aware, with the Veterans Administration incident that cer- 
tainly raised the awareness of everyone about this particular issue. 
We initiated this, basically a re-review of all of our systems and 
looking where we use Social Security Numbers, with the view of 
eliminating unnecessary use back then. It is such a pervasive, 
broadly-found issue throughout the Department that it is not a 
short exercise to do that and so even today we continue to try to 
find places where these are unnecessarily used. 

Mr. Space. So it would have been about 10 months before April 
13 that a process was begun to eliminate Social Security Numbers 
as an identifier? 

Mr. Combs. Yes, sir. 

Mr. Space. And apparently during that process over 29,000 peo- 
ple’s identifying information was changed from their Social Secu- 
rity Number to something else? 

Mr. Combs. Yes. 

Mr. Space. All right. Were any of those individuals posted on the 
Internet? 

Mr. Christopherson. No, not that we are aware of. None of 
those individuals were actually posted to the Internet. This is the 
first occurrence that we know about. 

Mr. Space. And your testimony indicates that upon discovery of 
the use of the SSNs on April 13, you immediately recognized that 
there was a problem and you were able to remove all 37,800 num- 
bers in 1 day from the Internet. Is that a correct reflection of your 
testimony? 

Mr. Christopherson. Actually we actually removed those from 
what is called the FAADS database, which is a public access data- 
base, and it was all the records for USDA at that time. 

Mr. Space. Okay. So you were able to accomplish that in 1 day? 

Mr. Christopherson. For the FAADS database, which is actu- 
ally held by the Census there, the executive group that manages 
that system, yes. 

Mr. Space. Right. So here is a question that I have for you, Mr. 
Christopherson. How or why is it that when you are aware of the 
problem but that knowledge is internal and not available to the 
general public, you are not able to identify and remove Social Secu- 
rity Numbers that are listed on the Internet over a course of 10 
months from the time that you recognized that that may be a prob- 
lem? Those names stayed on the Internet for 10 months. As soon 
as the problem gets disclosed to Congress and the general public 
at large, you are able to do that in 1 day. I have serious concerns 
about the oversight and the lack of prioritization and the lack of 
commitment to the Privacy Act that the USDA has displayed, not 
just with this but with the loss of 95 computers that contained non- 
encrypted information of a sensitive nature. I guess I am looking 
for answers as to why the only time the USDA seems to get serious 
about protecting people’s privacy is when they get called. 
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Mr. Christopherson. Actually, we are very serious about pro- 
tecting people’s information. The reason why this was not detected 
was, it was actually embedded in a 15 digit number. You know, if 
it was a nine digit number we would have picked it up right away. 
However this information actually was exposed for a longer period 
of time. We did go through and were actively checking for informa- 
tion that contained Social Security Numbers but it was embedded 
in a 15 digit number and was just not readily apparent. 

Mr. Space. But 

Mr. Christopherson. Now, we are moving back to actually look 
at those factors again to make sure that we find all this informa- 
tion. 

Mr. Space. Mr. Chairman 

The Chairman. Well, I will tell you what, the Ranking Member 
is here now and he has a statement, so we will give you some more 
time here in a little bit. 

Mr. Space. If there is time for that, Mr. Chairman. I do thank 
you deferring your time. 

The Chairman. There will be time, and we will recognize you. 

Mr. Space. Thank you, Mr. Christopherson. 

The Chairman. I want to recognize, right now, the distinguished 
Ranking Member for a statement, and I am also going to let him 
ask a couple of questions, and maybe we just won’t even run that 
thing right now so that it doesn’t beep. It can be a useful thing that 
this is kind of like the Gong Show or something here to intimidate 
people but anyway, we are pleased to have the Ranking Member, 
Mr. Goodlatte, here. I will recognize him at this time. 

OPENING STATEMENT OF HON. BOB GOODLATTE, A 
REPRESENTATIVE IN CONGRESS FROM VIRGINIA 

Mr. Goodlatte. Thank you, Mr. Chairman. Thank you for hold- 
ing this hearing. 

The discovery that the Social Security and tax identification 
numbers of more than 38,000 USDA customers has been posted to 
a publicly accessible Internet site is disturbing on many levels. 
This event is only one of several in which the personal identifica- 
tion information of farmers, other clients or employees has escaped 
the control of the USDA. In this case, however, the numbers were 
actually placed on the Internet where anyone could access them. 
Perhaps the worst aspect of this episode is that the original error 
occurred in 1981 and that the data has been on the World Wide 
Web since 1996. The number of questions that this raises is stag- 
gering. For example, is there any reason to believe that if a farmer 
in Missouri had not stumbled across her personal identification in 
a general search of references to her farm would USDA have ever 
found this problem? Does the Department know all the locations of 
information that they have officially shared or publicly made avail- 
able? Do they know whether there are any other instances where 
personal identification information has been released? What steps 
are being taken to ensure that this does not happen again? These 
are the types of questions that our Committee will want answered 
in today’s hearing. We should all take note that this event occurred 
in the midst of a major debate over producers surrendering large 
amounts of sensitive ljusiness and personal information in the live- 
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stock industry. The performance of the USDA in this episode cer- 
tainly lends significant credibility to those who fear that their in- 
formation will not be protected from release while in the hands of 
the USDA. 

Mr. Chairman, I hope that this hearing will provide some sense 
of reassurance to the millions of customers of the Department that 
episodes like this are not the status quo at the USDA; and that the 
U.S. Department of Agriculture is making a concerted effort to en- 
sure in the future customers won’t have to worry that their per- 
sonal information will be showcased on the Internet. 

Mr. Christopherson, if I might ask you, I understand there are 
250 information technology systems that have been developed at 
the Department over the years. How many of them contain Social 
Security Numbers as an identifier? 

Mr. Christopherson. That is approximately 56 of those systems 
contain that information. 

Mr. Goodlatte. Have all of these systems been evaluated to de- 
termine whether or not they contain a Social Security Number as 
an identifier? I take it from your answer to my first question that 
you have done that. 

Mr. Christopherson. That is correct. 

Mr. Goodlatte. And in your opinion, are any of these numbers 
at risk of release at this point? 

Mr. Christopherson. The only numbers that we show that have 
been released are these approximately 29,000. 

Mr. Goodlatte. And how long will it take to remove these re- 
maining Social Security Numbers from these systems to ensure 
that events like this do not happen again? 

Mr. Christopherson. There are a couple of factors with the So- 
cial Security Numbers. Being a large loan and grant-making agen- 
cy, we are required to pull in this information both for debt collec- 
tion and various other reasons. This will take numerous years on 
some of these older systems to basically remediate and contain the 
information. Now, we do have plans associated with that, et cetera, 
but a lot of this information USDA will have for the life of its agen- 
cy. 

Mr. Goodlatte. Well, what is the process for removing the num- 
bers from the system? Do you have some other identifier that you 
can use to replace that with? 

Mr. Christopherson. We will be using other identifiers as we 
modernize these systems or as we adjust them to change. 

Mr. Goodlatte. How many unnecessary uses of Social Security 
Numbers as an identifier currently exist in the USDA system 
today? 

Mr. Christopherson. We don’t fully understand or know exactly 
how many are actually unnecessary. These are old systems. In the 
1980s, these were key indicators. What is important for us today 
is that we actually wrap internal controls around this information 
to make sure that it does stay in the systems and does not get ex- 
posed to the outside. 

Mr. Goodlatte. Thank you very much. 

Thank you, Mr. Chairman. 
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The Chairman. I thank the gentleman, and those are good ques- 
tions. I have got a couple questions but I will go down the line here 
first a little bit. 

Mr. Etheridge from North Carolina. 

Mr. Etheridge. Thank you, Mr. Chairman, and thank you for 
holding this hearing. 

It is quite obvious from the questions thus far, Mr. 
Christopherson, that there is concern certainly on this side of the 
table, and I hope you can clear up some confusion. According to a 
report and your answer thus far relating to this incident, the num- 
bers were found of course as you already said by a farmer on the 
website, federalspending.org, which really is a nonprofit group who 
sort of keeps an eye on 0MB. So was this not actually a USDA 
website conveying this information or was it linked to a USDA 
website? Can you clear that up? 

Mr. Christopherson. Yes. Federalspending.org is actually a 
public website or an awareness website for the public. It is a not- 
for-profit or private website. 

Mr. Etheridge. So it was linked to USDA? 

Mr. Christopherson. It receives its information from what is 
called the FAADS information, which is actually held by Census 
and we feed that information into this public database to make it 
available. 

Mr. Etheridge. Okay. With that answer then, this was a private 
website that 

Mr. Christopherson. It was a private website. 

Mr. Etheridge. All right. That USDA had been working with to 
provide information about program users ought to be a concern to 
all of us and should have been a flag to USDA all along. We have 
seen from time to time again how the rush to privatize federal 
workers at USDA and hire contractors often results in the work 
just not getting done in a timely manner. I know this is an ongoing 
problem with our FSAs because their websites tend to be down 
quite often. Can you enlighten me as to how much of the IT func- 
tions at USDA are being farmed out to private contractors at this 
time? 

Mr. Christopherson. First I want to clear up something here. 
The information that is on this private website is actually re- 
quested and is by law available to them by what is called the Fed- 
eral Award Assistance Data System. I want to make sure that is 
very clear that they have access to this, lawfully, to request this 
data. On the question when it comes to how much of our IT func- 
tion is by contractors, I will be happy to actually submit that to the 
record. I don’t have that full information here today. 

Mr. Etheridge. Do you have any idea what that number might 
be? 

Mr. Christopherson. I don’t. I don’t have any idea exactly what 
that number is and I would hate to actually throw out an estimate 
for this Committee. 

Mr. Etheridge. That is troubling in itself for someone who is in 
charge of finances and does not know in dealing with the IT how 
much of it might or might not be. I think this ought to be a cause 
for concern for this Committee and you ought to be concerned your- 
self and the Members seated adjacent to you if you have no idea 
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how much of it we are putting out on private contract. But I hope 
you will provide that to this Committee in writing. 

Mr. Christopherson. I would he happy to. 

Mr. Etheridge. I will make that request, Mr. Chairman, because 
I think that is important for us to have. 

Mr. Christopherson. And the complexity behind this answer is 
actually dealing with, we actually have contractors in-house that 
supplement our employee base. We have contractors that are actu- 
ally contracted out under a formal contract as a section of this in- 
formation where we have very clear and distinct requirements for 
these contractors. So this is actually a complex question and will 
require a fairly lengthy answer to actually address this. 

Mr. Etheridge. Well, you have gotten a little bit deeper into it 
then. As you give that answer, would you divide that up so we can 
know how many are in-house contractors, how many outside con- 
tractors, how many of them are under contract and how those con- 
tracts are drawn, whether they are open-ended contracts or wheth- 
er they are contracts that are for definite periods of time with open 
bids and their bid contracts. 

Mr. Christopherson. We would be happy to provide that. 

Mr. Etheridge. Thank you, Mr. Chairman. I yield back. 

The Chairman. I thank the gentleman. Mr. Conaway. 

Mr. Conaway. Thank you, Mr. Chairman. 

Gentlemen, I appreciate you being here today. I compliment you 
on your forthrightness. I appreciate that. Looking at the USDA’s 
response as shown on page 10, it looks to me like you have done 
everything you need to do to protect anybody who might have been 
harmed by this. Any evidence that over the 11 years this informa- 
tion was on the Web that anybody was harmed as a result of these 
15 digit numbers being available to the public? 

Mr. Christopherson. No, we do not have any evidence of that. 

Mr. Conaway. Okay. Anybody make any claims? Anybody call in 
on the 24 hour hotline yet, questioning USDA? 

Mr. Christopherson. No, nobody has actually made any claims 
that that 

Mr. Conaway. So the 39,000 folks out there that got a letter say- 
ing that their embedded nine digit Social Security Number was in 
a bigger 15 digit number had been available for 11 years, those 
39,000 so far, they have been relatively calm about their response? 

Mr. Christopherson. Right. Actually what happened is, we had 
very little response up until they actually started to receive the let- 
ters. Even with the press information that had been released 

Mr. Conaway. No, but until they get a letter though, they don’t 
know that their name was on the list. 

Mr. Christopherson. Right. 

Mr. Conaway. But they now have it? You are managing those re- 
sponses? 

Mr. Christopherson. We are. We have set up an 800 number 
for them and allowed them to call in and have ample questions 
and 

Mr. Conaway. All right. Who is providing the $20,000 insurance 
policy? Is that self-insured by the agency or did you buy those poli- 
cies somewhere else? 
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Mr. Christopherson. No, that was actually part of the service 
that we are providing these people so we are not self-insuring. It 
is actually part of the fee that we pay into the service. 

Mr. Conaway. Okay. The response service? 

Mr. Christopherson. Right. 

Mr. Conaway. Let me ask you something else. On all of your sys- 
tems, I would suspect you would have had various levels of backup 
copies, and is it part of your overall review since June as well as 
the review on this system, are you confident that you have purged 
all of the backup systems the same way you have purged the cur- 
rent operating system that you are using? 

Mr. Christopherson. This information, as we have gone out to 
assess this information previously, it does address the full system, 
including backups of this information. 

Mr. Conaway. All right. Again, I compliment you on your re- 
sponse and the level of attention you have given to it on a go-for- 
ward basis. 

Mr. Chairman, I yield back. Thank you. 

The Chairman. I thank the gentleman. 

I recognize Mr. Boswell. 

Mr. Boswell. Thank you, Mr. Chairman. 

You have briefly covered some of this; but in your testimony you 
stated the information provided to the Farm Service Agency and 
Rural Development to the public website contained the 38,000 indi- 
viduals. Is that an isolated event? 

Mr. Christopherson. That is an isolated event according to this, 
you know, these Social Security Numbers that are in this 15 digit 
number. 

Mr. Boswell. How do you know that this information was not 
offered to other public websites? 

Mr. Christopherson. We do not know that it has not been of- 
fered to other public websites but let me tell you what we have 
done pertaining to this. We have actually pulled the information on 
those that actively receive this as a mailer, or have actively re- 
ceived this as a link, or have actively received this as a download. 
Those people have been contacted. We haven’t been able to fully 
contact all of them but we have actively tried to contact them. We 
will continue to try to contact them. It is approximately 92 dif- 
ferent groups. We will make sure that we will 

Mr. Boswell. So you have got an ongoing process trying to con- 
tact the affected individuals? 

Mr. Christopherson. We have an ongoing process to try to work 
with 

Mr. Boswell. Would you say you are 75 percent complete? 

Mr. Christopherson. On the actual 92 different groups, we 
probably have contacted and actually spoken to I think the number 
is around 38 at this point. 

Mr. Combs. It is over half of them. 

Mr. Christopherson. Right, and the rest of them we actually 
have messages. Anyway, that is about where we are at. 

Mr. Boswell. You mentioned that the affected individuals can 
opt into identity theft protection and will be insured. Will this be 
retroactive? 
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Mr. Christopherson. This will be based on the policy that we 
have actually received from the vendor. I believe 

Mr. Boswell. So what is 

Mr. Christopherson. — it is actually retroactive. I think it is ac- 
tually for the period of time that they are opting in and setting 
themselves up, but we will actively, for a period of time, try to pull 
in as many as we can of these farmers and continue our outreach 
efforts to sign up as many as we can. 

Mr. Boswell. Since this information has been available for quite 
some time, say someone has been a victim of identify theft and can 
trace it back to information that USDA provided, will they be cov- 
ered by this policy? 

Mr. Christopherson. I think as those instances come up, we 
will have to look at them as each independent instance. This issue 
of identity theft is a broad issue right now. Like I said, we regret 
that this happened and that it has been out there for a period of 
about 26 years that people could actually either by CD or by public 
website pull this information in, but we will look at those inde- 
pendently if they actually do 

Mr. Boswell. Have you had any requests for that yet? 

Mr. Christopherson. We have not had any requests for that as 
of yet. 

Mr. Boswell. Okay. Thank you, Mr. Chairman. I yield back. 

The Chairman. I thank the gentleman. 

Mr. Walberg. 

Mr. Walberg. Thank you, Mr. Chairman. 

Just one basic question. I appreciate you being here and testi- 
fying and I appreciate the efforts you are taking now. This is some- 
thing that has gone on for some time. It goes back a number of 
years but the impact is now and into the future. My office was con- 
tacted by one of these recipients and after receiving the letter that 
you sent out, which was appreciated by my constituent, however, 
he was very much concerned when he called the number and he 
got the answer that he would have to wait for a couple weeks until 
they came up with a process. It seems to me like it is not a good 
thing to send out a letter informing of the issue if the process isn’t 
in place to handle it. Ultimately he was contacted back after our 
office made contact with the Department. So do you have a re- 
sponse to that? Is this just one strange experience that took place 
or you have had other indications that people who do use your 800 
number and call now are receiving information that we are not 
ready to deal with it, wait a couple weeks and we will provide the 
information? 

Mr. Christopherson. Well, let me tell you a little bit about the 
process. We actually — this was a conscious decision to notify these 
people as soon as we possibly could. One of the things that we 
wanted to do was to make sure that those who are not affected in- 
dividuals fully understood that they were not affected. We wanted 
to make sure that the pool of those affected understood that they 
were affected. Now, the procurement process for these services 
takes a little bit of time and we were able to do that fairly fast but 
it was important that we actually did notify these people. Those 
letters went out approximately a little over a week ago. Now, the 
letters pertaining to the service and the setup, et cetera, have been 
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drafted. They are in the process of moving out. They have started 
the process of moving out. It takes about 3 days to send this num- 
ber of letters out. So those of your constituents in your area will 
receive those letters shortly and it will be very detailed with the 
information to say this is how you set it up, this is the code that 
you use and these are the services that you will be provided includ- 
ing if something was to happen to your identity or that information 
was actually compromised, here is a group that will help you get 
that back. 

Mr. Rutherford. Excuse me. Can I add something? 

Mr. Walberg. Sure. 

Mr. Rutherford. I believe I actually spoke to your constituent 
on Monday evening and explained pretty much what Mr. 
Christopherson just said, but also that we were starting the proc- 
ess of mailing the second batch of letters which would explain the 
process for enrolling in the credit monitoring service. In terms of 
the difficulties that he had with the 800 number, it is the commu- 
nications challenges that we have been working out. We think we 
have gotten those corrected as far as the information that is passed 
on and they are making sure that the number is updated on every- 
thing that we are doing. 

Mr. Walberg. Thank you. Thanks for your answer. 

The Chairman. I thank the gentleman. 

Mr. Salazar. 

Mr. Salazar. Thank you, Mr. Chairman. 

Mr. Christopherson, you talked about notifying these individuals 
who had been affected and you talked about sending out a letter 
15 days ago or 2 weeks ago. Did you notify these individuals imme- 
diately or how quickly did you notify them when you found out 
what the problem was? 

Mr. Christopherson. What we did is, it actually happened 
about 7 days ago, so that we are clear. As soon as we could actually 
narrow it down to the people that were actually affected and that 
took some time to get through these three million records, we did 
have a letter that was ready to go. We merged those in and we sent 
those right away. So we sent that as soon as we possibly could so 
that those who would be concerned over this and they were not af- 
fected would know as well as those who were affected would also 
know. 

Mr. Salazar. Okay. And are you able to pinpoint where the prob- 
lem actually occurred and did you do any kind of disciplinary ac- 
tion with the individuals who would ultimately be responsible, 
whether your IT people or 

Mr. Christopherson. This exposure was over a long period of 
time, about 26 years. This was an embedded number that was in 
a larger field. As we look back through the scenario, this was a 15 
digit field that wasn’t easily recognizable as an issue and that that 
information was sitting out there. It had been undetected for years 
and years and years. Now, as my testimony shows we did issue a 
number of directives in this last year to address these type of situa- 
tions where we said, “You need to go through your systems and 
look for this and this and this and this.” We are reevaluating obvi- 
ously those directives that we sent out. We will look to see how this 
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problem made it through and we will make sure that we don’t have 
this issue again. 

Mr. Salazar. Okay. And for those who weren’t affected on this 
one specific instance, if someone was to call your office, say myself 
as a member who participates in some of your programs, could you 
definitely be able to tell people that my information has not been 
compromised? 

Mr. Christopherson. As you call in and you give your name, 
then we actually will go through and say you are not on the list. 

Mr. Salazar. Thank you, Mr. Chairman. 

The Chairman. I thank the gentleman. 

Mr. Moran. 

Mr. Moran. Mr. Chairman, thank you very much. First of all, in 
my absence you mentioned my request for a hearing in regard to 
IT services at FSA-USDA, and I just would like to reiterate the 
importance of us providing necessary oversight and the Depart- 
ment of Agriculture making certain that the computer systems, 
particularly the servers, are adequate for meeting the needs of 
farmers, their customers. I continue to have significant concerns 
that the difficulties we are experiencing at FSA in regard to, at the 
moment, advanced direct payments is only the tip of the iceberg. 
I am worried that some catastrophic event may occur in which 
USDA is incapable of providing necessary services in any reason- 
able amount of time for farmers and ranchers across the country. 

The Chairman. Will the gentleman yield? 

Mr. Moran. Absolutely. 

The Chairman. We have been undertaking a considerable 
amount of background work, some of which I have been given 
today, but as soon as we get a little more of that pulled together, 
we will be proceeding to some kind of a hearing. But I want to 
make sure I know enough background before we get to that point. 

Mr. Moran. I thank the Chairman and I know that you have ex- 
pressed to me you have concerns about the computer capabilities 
at the Department of Agriculture and again reiterate that I think 
the issues may turn out to be very serious. 

In regard to the hearing today, the specifics of the release of in- 
formation, I just want to make certain I understand what it is that 
USDA has done wrong. My understanding is that the mistake 
made was the inclusion of the Social Security Numbers identifying 
individuals within that larger number and that was the error on 
the part of USDA. USDA has not, as I understand the testimony 
or understand the facts regarding this, has not disclosed this infor- 
mation inappropriately. In fact, by law you are required to provide 
that information to the Census Bureau and it is only through ac- 
cess to Census Bureau information this website has been able to 
obtain this information. Is my understanding correct? 

Mr. Christopherson. We are required to provide to Census Bu- 
reau information concerning the grants and loans at the Depart- 
ment of Agriculture. This number was embedded into a 15 digit 
number. Disclosing the Social Security Number wasn’t appropriate 
for our policy. Now, we do need to provide information and have 
people have the ability to access that information in question 
through FOIA and other things that information concerning grants 
and loans. 
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Mr. Moran. This instance, the wehsite did not obtain the infor- 
mation from the Department of Agriculture but from the U.S. Cen- 
sus Bureau which USDA was required to disclose to the Census 
Bureau. Is that true? 

Mr. Christopherson. We are required to disclose the informa- 
tion to the Census Bureau. The Census Bureau is actually the 
group that handles it for the government-wide initiative. 

Mr. Moran. And no problems would have arisen here but for the 
Social Security Numbers being inappropriately embedded? That is 
not the right way of saying that. Inappropriately discoverable in 
this embedded number. Had that not occurred, then the problems 
that we are describing today would not have occurred? 

Mr. Christopherson. That is actually correct. Having the Social 
Security Numbers embedded is the issue that is incorrect, actually 
sending the information to the Census Bureau is not. We are re- 
quired to do that. 

Mr. Moran. Thank you very much, and I yield back, Mr. Chair- 
man. 

The Chairman. I thank the gentleman. 

I am now going to recognize Mr. Space for his own time. I gave 
him my time earlier. 

Mr. Space. Thank you again, Mr. Chairman. 

Mr. Christopherson, I want to ask you a couple quick questions 
about the letter that went out. When did that letter go out? Do we 
have a date that that letter went out to those affected? 

Mr. Christopherson. Those affected, it actually went out a week 
ago Monday. 

Mr. Space. Did they go out by certified mail? Was there any indi- 
cation that we will have or that your agency will have concerning 
who was noticed and who wasn’t? 

Mr. Christopherson. They actually went out first-class mail. 
The address service was requested so that if it is not deliverable, 
then the post office will provide us with a slip that says this is not 
deliverable, or if it was forwarded to a new address, they will pro- 
vide us with a slip saying that this is the person’s new address so 
we can track them. 

Mr. Space. All right. Do you have any idea as to the percentage 
of people on that list that you have received a response indicating 
it was undeliverable because they have changed addresses? 

Mr. Christopherson. Right now we have approximately 25 peo- 
ple that it has been returned saying that we need either additional 
information or they have changed addresses. 

Mr. Space. And I want to clarify something in response to a 
question asked earlier. You indicated that you are still working on 
eliminating these numbers from, we will call it an account number. 
I guess my question is, is there still public access in one means or 
another out there to these embedded account numbers? 

Mr. Christopherson. I don’t believe that there is public access 
out there, and like I said, these systems are very old. They have 
been designed where the Social Security Number was a primary 
field in these, just like in the 1980s even into the 1990s. I can re- 
member at the grocery store having the Social Security Number on 
my checkbook to provide to the cashier. Now our world has 
changed and we are working to adjust these systems but no, we do 
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not know of any other instance where this information has been 
disseminated out to the public. 

Mr. Space. And is your office investigating the possibility that 
that has happened through, for example, encryption on a mort- 
gage? I know a lot of these accounts had to do with loan payments. 
Has your office begun investigating whether there are unintended 
releases of information out there that you haven’t even given con- 
sideration to? 

Mr. Christopherson. We have actually done that evaluation in 
the past and we are going back again to reevaluate to make sure 
that any and all information that is going out is clean information. 
We don’t know of any information that we have sent out in this 
form. 

Mr. Space. In this case, it is not a situation where you didn’t 
know that these problems were out there, and you fixed them when 
you found out. Based on the testimony that you have offered as 
well as the audits by these other agencies, my impression is the 
USDA has known about these problems for years, certainly should 
have known about them, has not taken security as seriously as it 
should. It has not developed a commitment to adherence with the 
Privacy Act. And my question for you is this: Does the USDA need 
additional authority from this Congress, tools or resources from 
this Congress that will ensure the security of our farmers’ and our 
ranchers’ personal information and make sure that the USDA does 
in fact or is in fact able or willing to comply with the privacy laws? 

Mr. Christopherson. We are actively addressing this issue. 
Over this last — as my testimony actually says — we have actually 
sent out about seven directives to our agencies to both evaluate the 
information that they have as well as address information when it 
comes to their desktop, to provide training in that information. 
That is a very key step to make sure that this information is con- 
tained. 

Mr. Space. Are you getting the resources from Congress that you 
need to ensure that the privacy of these individuals is being pro- 
tected? 

Mr. Christopherson. At the current time, I believe that they 
are. The President’s budget amply lays out the funds needed for 
this type of a project. 

Mr. Space. Thank you, Mr. Christopherson. 

Thank you again, Mr. Chairman. I yield back. 

The Chairman. I thank the gentleman. 

Mr. Graves. 

Mr. Graves. No questions. 

The Chairman. Ms. Herseth Sandlin, you are next if you 

Ms. Herseth Sandlin. Thanks. I didn’t know it was so close to 
me asking questions. 

I have a question for Mr. Combs. You know, Mr. Christopherson, 
you mentioned in response to an earlier question the situation of 
what happened with the VA and the loss of records that were on 
a laptop. A few of us on this Committee also serve on the Veterans 
Affairs Committee, and during all of the oversight that we did on 
that issue; not just once the laptop was retrieved, was the informa- 
tion accessed and used for identity theft purposes; which thankfully 
there was no evidence to that effect, but what type of information 



33 


security measures have been undertaken at our various agencies. 
In the case of the VA, and one of the things that we found was that 
past chief information officers at the VA were very frustrated with 
the bureaucratic barriers that they encountered in the agency to 
actually implement certain controls and other security measures 
over the past few years, and there was reference made earlier 
about these are old systems and this was a number embedded in 
a field. Mr. Combs, has there been any instance in which you feel 
that you could have been able to identify it rather than someone 
out viewing this public website that there was a problem with one 
of the older programs or the older system with a Social Security 
Number being embedded in the field because of any barriers that 
you have faced in implementing your recommendations and various 
security measures at USDA? 

Mr. Combs. That is a very good question. USDA and my office 
and the network of security folks that I work with throughout the 
Department, as you may know, is a federated approach where 
there are 29 agencies and offices and we now have a very close 
working relationship with all of these agency CIOs. Even though 
they don’t report to me we have a very close working relationship. 
My office issues policies and requirements to survey systems, to 
comply with FISMA and all of these aspects of security. I will have 
to say that I have really experienced no resistance from the cadre 
of folks that I deal with throughout the Department. Even though 
they don’t report to me, that is not really an issue. We are working 
as a team. They are a very good group of people who are as con- 
cerned about IT security as I am, and it is just a very complex 
problem and we are very sorry that we did not pick up this one 
particular kind of exposure here. It just slipped through the net 
that we put out. But we are doing many, many things to tighten 
up our security. We are putting in system, what we call defense in 
depth where there are many layers of security so that people can’t 
get into our systems. Just yesterday we had almost 20,000 people 
attempt to hack into USDA systems. Well, our defense caught that 
and blocked it. But I really can’t say that I have had any resistance 
to these many directives and efforts that we are making. It is a 
pretty complex process to try to corral all of these problems be- 
cause, as you know. Social Security Number is used in almost 
every financial system in the Federal Government because of the 
reporting requirements. So the bottom line is, no, I have not really 
seen the, “bureaucratic resistance” to what we need to do at USDA. 

Ms. Herseth Sandlin. And how long have you been the Chief 
Information Officer at USDA 

Mr. Combs. Since October of 2004, I believe. 

Ms. Herseth Sandlin. And I am pleased to hear that you 
haven’t experienced that kind of resistance that your counterparts 
in other agencies perhaps have. The other part of my question was, 
is there anything then as a matter of resources that could have 
been done, not so much in protecting the existing systems but 
going back to older systems that seem to be part of the reason why 
this problem eluded the agency for 11 years in terms of detecting 
it, you and your cadre of folks. Where could you have identified this 
problem had you had sufficient resources or other authorization 
that you need from this Committee? 
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Mr. Combs. I believe that one of the processes that we used in 
the past was one that was a very detailed questionnaire, but in 
hindsight now we see there were some questions that we needed 
to ask. It is called a Privacy Impact Assessment and there are 
some specific questions that we will now be adding to that so that 
something cannot be misinterpreted or just treated as general. So 
we will be tightening that up, and that process is one of education 
and learning from our mistakes or our issues that we run into. 

Ms. Herseth Sandlin. Thank you, Mr. Chairman. 

Thank you for the testimony. 

The Chairman. I thank the gentlelady. 

Does the gentlelady from North Carolina have any questions? 

Ms. Foxx. No, sir. 

The Chairman. Mr. Walz? 

Mr. Walz. Thank you, Mr. Chairman, and thank you, Mr. 
Christopherson, and gentlemen for coming today and I appreciate 
the complexity of the issue you are dealing with and your striving 
for excellence is appreciated. I know it is a tough job. The issue is 
with personal information security. It is pretty much a zero-sum 
game though. If you lose it, you lose it and it causes problems and 
we all know that. My question is somewhat I guess segueing with 
the gentlewoman from South Dakota’s question. I also sit on the 
Veterans Affairs Committee and we have been through this numer- 
ous times. I am one of the people who received one of those 26 mil- 
lion letters last year, and to sit in there several weeks ago and lis- 
ten to the people from the VA tell us that since that time the inci- 
dent that lost 26 million, we have had in excess of 100 such 
breaches of security that lost personal data. This was after all the 
scrutiny had been brought down on them. It had been when their 
resources were reallocated and everything. We are still having 
that. 

My question is maybe a little broader and to ask you with your 
experience on this, is there any sharing of lessons learned and best 
practices amongst agencies in the U.S. Government, or are you con- 
vinced that the systems technology that you have is so vastly dif- 
ferent from the VA that the protocols they are following or not fol- 
lowing would not apply to you? I am just wondering what type of 
sharing happens amongst agencies when it comes to IT. 

Mr. Christopherson. Well, I will let Mr. Combs answer a piece 
of that because obviously the CIO’s organization has the ability to 
share information and I know that they do. As well as the informa- 
tion between the CIOs, I can tell you that we read reports and in- 
formation from various aspects of the government to understand 
where this information actually gets disclosed, et cetera. This is a 
learning game obviously. These people out there are smart that 
look at these systems. We are constantly on the educational phase 
of this to make sure that we can stay ahead of the game. 

Mr. Walz. And who does your internal audits and oversees inter- 
nal IT? What is the entity that does that internally inside USDA? 

Mr. Christopherson. That is our OIG, the Inspector General 
group. 

Mr. Walz. Okay. And you think they are fully funded? The prob- 
lem we had in the VA system was that they told us when we asked 
them, “Do you have the resources to do all the inspections you 
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need,” they said no point blank. And then we asked them, “If they 
were seen as a part of the solution or if they were seen as a watch- 
dog to keep at arm’s length,” and the answer wasn’t quite as I 
would have liked it to be. How do you think the IG is viewed inside 
USDA? 

Mr. Christopherson. I can tell you, we work closely with IG 
and they have a high-quality group. Some of our audits and those 
type of functions are actually procured on the outside with large 
firms because we are a large agency. We have a lot of work that 
has to be accomplished when it comes to the audit functions but 
our Inspector General’s group is a very high-quality group. They 
seem to be very knowledgeable. They actually bring a lot to the 
plate as we have these discussions and we are actively moving for- 
ward with them. 

Mr. Walz. Super. I appreciate your time and your answers. I 
yield back, Mr. Chairman. 

The Chairman. I thank the gentleman. 

Mr. Donnelly. 

Mr. Donnelly. Thank you, Mr. Chairman. 

During the testimony, we are looking at completing inventory of 
the systems, memos are dated back to June of 2006, and I guess 
the question I have is, is how did we miss it when somebody found 
it on Google? 

Mr. Christopherson. This was actually, it was embedded in this 
15 digit number. Unfortunately it was the one area that was 
missed. This information as we look back at it was an automated 
function. It sent out the information. We looked, we didn’t see any 
other areas inside of USDA where we had this issue. Now, that 
being said, we are going to go back and re-evaluate all the informa- 
tion that we send outside as well as the systems again. We are not 
happy that this happened. I realize that Congress is not happy but 
we are very unhappy. We have worked hard over this last year to 
try to make sure that we had the regulations, the training to make 
sure from the systems to the process to the desk procedures, that 
everybody understood what their responsibility was and that this 
information was evaluated. 

Mr. Donnelly. The IT services, are any of them contracted to a 
private company at this time? Because I am on the Veterans Com- 
mittee as well. One of the things we saw in Walter Reed that there 
were private contracting issues in a lot of the difficulties there. I 
was wondering if we are doing private contracting of our IT serv- 
ices at the USDA. 

Mr. Christopherson. We do do some private contracting of IT 
services and we have agreed that for the record we would actually 
disclose information concerning those contracts. In some aspects 
and especially this is one of them, to have actually contractors that 
specialize in this is very important. Part of my background is actu- 
ally as an executive responsible for a private entity that was spe- 
cialized basically for our customers trying to break into their sys- 
tems. It is very specialized. It is very expensive labor who does this 
and it is very important that we have services like that retained. 
So there are instances where this becomes very important in a skill 
set in order to have it contracted and available. 
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Mr. Donnelly. So it is not a skill set that we went private to 
save a few bucks, it is that they have some skills that we may not 
have internally in the USD A? 

Mr. Christopherson. That is correct. So in other words, what 
would happen would be that because this is ever changing, it takes 
a breadth of experience, they learn things by working with multiple 
customers. It is important at times that we do have these groups 
that are available to provide this service versus having our internal 
groups that see the same thing day in and day out. 

Mr. Donnelly. When I go home this weekend and talk to some 
of the farmers back home in Indiana, how do I restore their faith 
in this system when they say, “Joe my information is right there 
online,” how do we rebuild that confidence? 

Mr. Christopherson. Like I said, we regret that this happened. 
I realize that regret doesn’t actually help out the producers out 
there but we are taking all the steps that are available to us in 
order to take care of this. 

Mr. Donnelly. So we tell them we are in full speed on fixing 
that? 

Mr. Christopherson. We are on full speed on fixing that. 

Mr. Donnelly. My last question would be, one of these loans 
that comes through and it happens today, and I apologize if I 
missed this earlier but what would I find on the computer today 
for one of these loans or disclosures that is out there? 

Mr. Christopherson. We have actually redacted that field out 
of the system at this time and we are looking at what kind of a 
numbering system we are going to use to replace that. 

Mr. Donnelly. Okay. So everything, if you go on that site now, 
they are all gone? 

Mr. Christopherson. They are all gone. 

Mr. Donnelly. Thank you very much. 

Thank you, Mr. Chairman. 

The Chairman. I thank the gentleman. 

I am going to invoke the chair’s prerogative here to ask one ques- 
tion because the Ranking Member and I have kind of the same 
question. In your statement here, you say that pursuant to the di- 
rection from OCIO last summer, that USDA agencies searched for 
the presence of Social Security Numbers in the system but the 
FAINs eluded attention because the sensitive information was not 
readily apparent when viewing the aggregated data. It is hard for 
me to understand how you could have looked at this and not seen 
it. Is it because you had the computers look and the computer 
couldn’t figure this out? If somebody, if an actual person would 
have looked at this, it would have probably jumped out at you if 
you would have seen it. You know, how did that happen? How 
could you be actually looking for this since last summer and it gets 
missed? 

Mr. Christopherson. Well, during our reviews we were actually 
fairly specific in the way that we asked for the information in the 
questions. We may have been too specific. 

The Chairman. But was it just done by computer? 

Mr. Christopherson. No, it was actually just done by computer. 
It was actually accomplished by our IT professionals. 
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The Chairman. No, but I mean, did anybody actually look at any 
of this stuff or did you just run a computer program trying to iden- 
tify it? 

Mr. Christopherson. No, people actually did look at the stuff, 
but it just was not in the format that if you were to look at it that 
it was very apparent. It took a number of years. This has been out 
there for a long period of time and obviously personal informa- 
tion — 

The Chairman. But how could it be in a format so this person 
whoever discovered this could figure it out and you guys couldn’t? 

Mr. Christopherson. Because this person actually knew their 
number and so as they were looking, they saw their number in 
there and they alerted us. You know, once again, like I said, we 
are going back to look at our procedures and we are addressing this 
as we look to go forward. We will review, we will look, we will re- 
view again and look again. 

The Chairman. Well, so, because there were numbers ahead of 
the Social Security Number and numbers after the Social Security 
Number, it just looked like one big long 15 digit number? Is that 
basically what the deal is? 

Mr. Christopherson. That is actually correct. There are num- 
bers in this field. There are 15 digit numbers and by just looking 
at it blankly, if you didn’t know, if it wasn’t your number that was 
in there, it is not necessarily fully apparent. 

The Chairman. I guess I can see that, although being a CPA and 
having looked at Social Security Numbers on thousands and thou- 
sands of tax returns, I probably would have figured it out, but 
there might not be many people like that. 

Mr. Christopherson. There actually is a copy of what the num- 
ber would look like, Mr. Chairman. 

Mr. Combs. Mr. Chairman, if I may, let me show you an example 
of — I don’t know whether you can read it there or not but this is 
a 15 digit number and can you see the numbers in there, Mr. 
Space? I)o you recognize anything in there? 

The Chairman. That is too far away for me to see. 

Mr. Combs. Let me show it to you again. Here is the same num- 
ber but I have highlighted in yellow. In the middle of this number 
is the telephone number of the switchboard for the House of Rep- 
resentatives, and those of us who have called that number would 
probably look at that say, “Oh, that is the switchboard number.” 
But if you didn’t know that, this is just 15 digits. And so that is 
the theory. If it is not your Social Security Number, it is just 15 
digits. 

The Chairman. I can see that, but like in my part of the world, 
I suppose you have to look at four or five of them but the Social 
Security Numbers, the first three digits are all the same generally. 
They are within a range. And so people that deal with it a lot prob- 
ably would see it after looking at four or five of them. I suppose 
if you were sitting out here in Washington and looking at Social 
Security Numbers in some states, you would not correlate it. So 
that is why the eyes on didn’t come up with anything. And the 
computer, you didn’t run any computer programs to see if you could 
identify any Social Security Numbers? Why wasn’t that done? 

Mr. Combs. The embedded nature of this is the issue. 
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The Chairman. You wouldn’t have been able to pull it up? 

Mr. Combs. There are programs that in hindsight now you can 
search, there are ways to search for embedded information but we 
did not have that tool available to us, no, sir. 

Mr. Goodlatte. I just want to clarify. So in other words, the 
woman who I cited in my opening statement who looked on the 
Internet, did a search in her name and her name showed up with 
a number after it, she was looking at a 15 digit number, not a nine 
digit number? 

Mr. Christopherson. She was looking at a 15 digit number 
without any dashes or anything like that in it. 

Mr. Goodlatte. And noticed that her Social Security Number 
was contained within those 15 digits? 

Mr. Christopherson. That is correct. 

Mr. Goodlatte. Do you know what the other six digits rep- 
resented? 

Mr. Christopherson. It had to do with the county offices and 
the state number. 

Mr. Goodlatte. Thank you, Mr. Chairman. 

Ms. Foxx. Mr. Chairman? 

Mr. Chairman. The gentlelady from North Carolina. 

Ms. Foxx. I have thought of a question I wanted to ask. Did I 
hear you all say that the creation of these numbers first occurred 
11 years ago? Is that what you said? 

Mr. Christopherson. I believe it actually occurred, from what 
my staff has briefed me on, about 26 years ago, if not before that. 

Ms. Foxx. So there have been several Administrations since this 
number was created? 

Mr. Christopherson. It has been several years since this num- 
ber has been created. 

Ms. Foxx. Okay. Thank you. 

The Chairman. I thank the gentlelady. 

The gentleman from North Dakota, Mr. Pomeroy. 

Mr. Pomeroy. Mr. Chairman, I thank you for this hearing and 
I appreciated your line of questioning. 

This isn’t something that maybe would have come to light at 
30,000 feet but somewhere in USDA someone is in charge of these 
databases. That is their job, their job is to make sure that you are 
not revealing taxpayers’ sensitive information in any way and so it 
is not really a matter, Mr. Combs, of looking at a number on a page 
and whether a layman in 2 seconds is going to draw anything from 
it or not. Someone didn’t do their job. You pay someone to make 
sure these databases are appropriately maintained and to protect 
the public information concealed behind those databases and some- 
body didn’t do their job, and I trust that USDA feels bad about it. 
I know the professionalism of the men and women that work there, 
but it is completely unacceptable, and I tell you, there is a lot of 
concern out there about just who and what is going after these 
numbers. Now, I understand you have a universe of 92 people that 
have taken these numbers, some set of folks that have these num- 
bers, downloaded them. I would like to know a little more about 
your investigation into who has these numbers and why they have 
them and are you getting them back without them having been 
copied in the meantime. 
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Mr. Christopherson. This database actually — people who have 
these numbers, one of them is obviously the watch group that we 
had discussed earlier. A lot of them have to do with states and uni- 
versities that have this information. We have actively contacted 
them. 

Mr. Pomeroy. I want to know, is the number 92? 

Mr. Combs. I will be happy to answer that. 

Mr. Pomeroy. Sure, Mr. Combs. 

Mr. Combs. The number of entities that were on a distribution 
list from the Bureau of Census for the FAADS database of which 
I believe even Congress, states and a lot of them were government 
entities, but there were 92 of those who subscribe to a regular dis- 
tribution every quarter of this FAADS database from the Bureau 
of Census, and it is those people and entities that we have con- 
tacted. We have attempted to contact all 92 of them. Some of them 
are from years and years ago so they are bad numbers and so 
forth. But every one of those to a person and an entity that we 
have contacted has agreed to destroy or certainly redact the infor- 
mation that they had received. They appreciated the problem. And 
on the other side, the concern is, are there other websites or enti- 
ties that may have gotten this information, and my organization 
has contacted all of the major search engine companies, every enti- 
ty we can think of that might have had a reason to download this 
same database and put it up someplace. I have personally con- 
tacted about eight senior executives within these major corpora- 
tions and they have gone back and searched and came back to me 
and affirmed that they did not or they could not find any reference 
to where this data was available. So as we discover new places to 
look and ask, we are not just assuming, we are picking up the 
phone or e-mailing or every means we can to contact these people 
and make sure it is not there. 

Mr. Pomeroy. I appreciate that and I think that we would ap- 
preciate, I would put in a request that you submit to the Com- 
mittee a follow-up based on the universe of 92 and what has been 
the conclusion. I don’t even care if you name the 92 or not but just 
how many, has this been resolved, how many are still in discus- 
sion, how many haven’t been contacted. 

Mr. Combs. We will be happy to do that, sir. 

Mr. Pomeroy. Now, where are you on the project with the 92? 

Mr. Combs. At the current time, we have basically attempted to 
contact all of them and have sent out some — some of them we had 
e-mail addresses for and we have not heard back from. I would say 
our activity on the contacting, the proactive part is finished. We 
have done every possible method of communicating with these folks 
that we can. It is the hearing back from some of them that we 
have — we need to close the book on that at some point. 

Mr. Pomeroy. My own thought is, the sensitivity of this informa- 
tion is of a high enough concern to where personnel ought to get 
on airplanes and go fly down and track some of these people down 
or however you might work it though offices in the states. Let us 
get that completed. 

Mr. Christopherson. We agree. As of our briefing this morning, 
about 65 percent of these people were actually contacted, and just 
to set the record straight, it wasn’t this person’s actual Social Secu- 
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rity Number that was embedded that has contacted us. It was actu- 
ally their employer ID number that is actually assigned by the IRS. 

Mr. Pomeroy. So it is not their Social Security Number, it is the 
employer ID number? 

Mr. Christopherson. For the person who actually contacted us. 

Mr. Pomeroy. What about the information of the taxpayers that 
has been disclosed? It is my understanding that Social 

Mr. Christopherson. Those are Social Security Numbers. I just 
wanted to make sure that that was clear between the two for the 
record. 

Mr. Pomeroy. I appreciate that. You said 65 percent of the 92 
have been contacted? 

Mr. Christopherson. That is correct. 

Mr. Pomeroy. That is not very good. I mean, you have testified 
that you understand this is of the highest concern. Well, then let 
us get 100 percent nailed down now. This is a mistake that 
shouldn’t have happened and I believe the book needs to be closed 
on getting ahold of each group to whom the inappropriate distribu- 
tion was made quickly. 

Mr. Christopherson. I understand your concern, and we will 
adequately attempt to make sure that we contact these people. 

Mr. Pomeroy. I would like to see a little more urgency on getting 
that 65 percent to 100 percent, to be frank. Thank you. 

The Chairman. I thank the gentleman. 

The gentlelady from Ohio, we have about a minute or 2. 

Mrs. Schmidt. I am going to be very quick. This isn’t the first 
time we are going to have this kind of a problem. When I was in 
college many, many years ago, we had to put our Social Security 
Number on every test and every booklet. With the age of the Inter- 
net and mass communication, we are going to see more and more 
of this issue. What kind of ideas do you have to go forward not 
from just the USDA but any other department that has to keep 
track of who we are, how to identify, and allow other agencies to 
figure out you are working with the same person other than a So- 
cial Security Number? I know that is a lot and you have got about 
30 seconds to answer and you can call me later if you need to. 

The Chairman. All right. I thank the gentlelady. You will submit 
that answer in writing? 

Mr. Christopherson. We will submit that for the record. 

The Chairman. And we may have some other questions that we 
will be asking for you to answer in writing. We appreciate you 
being with us today and I look forward to you keeping us updated 
on how you are doing. 

Mr. Christopherson. Thank you, Mr. Chairman. 

The Chairman. I thank everybody, and the Committee stands 
adjourned. 

[Whereupon, at 2:30 p.m., the Committee was adjourned.] 
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Questions for the U.S. Department of Agriculture * 


Questions Submitted by Hon. Bob Etheridge, a Representative in Congress 
From North Carolina 

Question 1. How much information technology at USDA is contracted out to the 
private sector? Please distinguish between in-house and outside contractors. 

Question 2. How many are under contract? 

Question 3. How are the contracts drawn up? Are they open ended or within a 
definitive time? 

Question 4. Are contracts conducted by open bids? If not, how are they conducted? 

Question Submitted by Hon. Earl Pomeroy, a Representative in Congress 
From North Dakota 

Question. Please report the progress and results of your attempts to contact all 
92 of the entities who subscribe to the FAADS site. Names are not necessary. 

Question Submitted by Hon. Jean Schmidt, a Representative in Congress 
From Ohio 

Question. Please outline your plans for identifying clients without the use of So- 
cial Security Numbers. How will duplication between agencies be avoided? 

o 


*At the time this hearing went to press the responses were not submitted. 



